From addb52d6289c7f0258443f8a3cee08c00ac18f39 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 14 Jan 2018 09:09:08 +0100
Subject: [PATCH] 4.14-stable patches

added patches:
	staging-android-ashmem-fix-a-race-condition-in-ashmem_set_size-ioctl.patch
	usb-fix-usbmon-bug-trigger.patch
	usb-misc-usb3503-make-sure-reset-is-low-for-at-least-100us.patch
	usb-serial-cp210x-add-ids-for-lifescan-onetouch-verio-iq.patch
	usb-serial-cp210x-add-new-device-id-elv-alc-8xxx.patch
	usb-udc-core-fix-double-free-in-usb_add_gadget_udc_release.patch
	usbip-fix-vudc_rx-harden-cmd_submit-path-to-handle-malicious-input.patch
	usbip-remove-kernel-addresses-from-usb-device-and-urb-debug-msgs.patch
	usbip-vudc_tx-fix-v_send_ret_submit-vulnerability-to-null-xfer-buffer.patch
---
 queue-4.14/series                             |  9 ++
 ...e-condition-in-ashmem_set_size-ioctl.patch | 38 +++++++
 queue-4.14/usb-fix-usbmon-bug-trigger.patch   | 52 ++++++++++
 ...sure-reset-is-low-for-at-least-100us.patch | 38 +++++++
 ...d-ids-for-lifescan-onetouch-verio-iq.patch | 33 +++++++
 ...p210x-add-new-device-id-elv-alc-8xxx.patch | 30 ++++++
 ...e-free-in-usb_add_gadget_udc_release.patch | 98 +++++++++++++++++++
 ...ubmit-path-to-handle-malicious-input.patch | 49 ++++++++++
 ...s-from-usb-device-and-urb-debug-msgs.patch | 80 +++++++++++++++
 ...it-vulnerability-to-null-xfer-buffer.patch | 50 ++++++++++
 10 files changed, 477 insertions(+)
 create mode 100644 queue-4.14/staging-android-ashmem-fix-a-race-condition-in-ashmem_set_size-ioctl.patch
 create mode 100644 queue-4.14/usb-fix-usbmon-bug-trigger.patch
 create mode 100644 queue-4.14/usb-misc-usb3503-make-sure-reset-is-low-for-at-least-100us.patch
 create mode 100644 queue-4.14/usb-serial-cp210x-add-ids-for-lifescan-onetouch-verio-iq.patch
 create mode 100644 queue-4.14/usb-serial-cp210x-add-new-device-id-elv-alc-8xxx.patch
 create mode 100644 queue-4.14/usb-udc-core-fix-double-free-in-usb_add_gadget_udc_release.patch
 create mode 100644 queue-4.14/usbip-fix-vudc_rx-harden-cmd_submit-path-to-handle-malicious-input.patch
 create mode 100644 queue-4.14/usbip-remove-kernel-addresses-from-usb-device-and-urb-debug-msgs.patch
 create mode 100644 queue-4.14/usbip-vudc_tx-fix-v_send_ret_submit-vulnerability-to-null-xfer-buffer.patch

diff --git a/queue-4.14/series b/queue-4.14/series
index 2d32084d512..461da2863f1 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -72,3 +72,12 @@ drm-i915-fix-init_clock_gating-for-resume.patch
 bpf-prevent-out-of-bounds-speculation.patch
 bpf-array-fix-overflow-in-max_entries-and-undefined-behavior-in-index_mask.patch
 bpf-arsh-is-not-supported-in-32-bit-alu-thus-reject-it.patch
+usb-serial-cp210x-add-ids-for-lifescan-onetouch-verio-iq.patch
+usb-serial-cp210x-add-new-device-id-elv-alc-8xxx.patch
+usb-misc-usb3503-make-sure-reset-is-low-for-at-least-100us.patch
+usb-fix-usbmon-bug-trigger.patch
+usb-udc-core-fix-double-free-in-usb_add_gadget_udc_release.patch
+usbip-remove-kernel-addresses-from-usb-device-and-urb-debug-msgs.patch
+usbip-fix-vudc_rx-harden-cmd_submit-path-to-handle-malicious-input.patch
+usbip-vudc_tx-fix-v_send_ret_submit-vulnerability-to-null-xfer-buffer.patch
+staging-android-ashmem-fix-a-race-condition-in-ashmem_set_size-ioctl.patch
diff --git a/queue-4.14/staging-android-ashmem-fix-a-race-condition-in-ashmem_set_size-ioctl.patch b/queue-4.14/staging-android-ashmem-fix-a-race-condition-in-ashmem_set_size-ioctl.patch
new file mode 100644
index 00000000000..6e83073d0e3
--- /dev/null
+++ b/queue-4.14/staging-android-ashmem-fix-a-race-condition-in-ashmem_set_size-ioctl.patch
@@ -0,0 +1,38 @@
+From 443064cb0b1fb4569fe0a71209da7625129fb760 Mon Sep 17 00:00:00 2001
+From: Viktor Slavkovic <viktors@google.com>
+Date: Mon, 8 Jan 2018 10:43:03 -0800
+Subject: staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl
+
+From: Viktor Slavkovic <viktors@google.com>
+
+commit 443064cb0b1fb4569fe0a71209da7625129fb760 upstream.
+
+A lock-unlock is missing in ASHMEM_SET_SIZE ioctl which can result in a
+race condition when mmap is called. After the !asma->file check, before
+setting asma->size, asma->file can be set in mmap. That would result in
+having different asma->size than the mapped memory size. Combined with
+ASHMEM_UNPIN ioctl and shrinker invocation, this can result in memory
+corruption.
+
+Signed-off-by: Viktor Slavkovic <viktors@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/ashmem.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -765,10 +765,12 @@ static long ashmem_ioctl(struct file *fi
+ 		break;
+ 	case ASHMEM_SET_SIZE:
+ 		ret = -EINVAL;
++		mutex_lock(&ashmem_mutex);
+ 		if (!asma->file) {
+ 			ret = 0;
+ 			asma->size = (size_t)arg;
+ 		}
++		mutex_unlock(&ashmem_mutex);
+ 		break;
+ 	case ASHMEM_GET_SIZE:
+ 		ret = asma->size;
diff --git a/queue-4.14/usb-fix-usbmon-bug-trigger.patch b/queue-4.14/usb-fix-usbmon-bug-trigger.patch
new file mode 100644
index 00000000000..5df2b16daae
--- /dev/null
+++ b/queue-4.14/usb-fix-usbmon-bug-trigger.patch
@@ -0,0 +1,52 @@
+From 46eb14a6e1585d99c1b9f58d0e7389082a5f466b Mon Sep 17 00:00:00 2001
+From: Pete Zaitcev <zaitcev@redhat.com>
+Date: Mon, 8 Jan 2018 15:46:41 -0600
+Subject: USB: fix usbmon BUG trigger
+
+From: Pete Zaitcev <zaitcev@redhat.com>
+
+commit 46eb14a6e1585d99c1b9f58d0e7389082a5f466b upstream.
+
+Automated tests triggered this by opening usbmon and accessing the
+mmap while simultaneously resizing the buffers. This bug was with
+us since 2006, because typically applications only size the buffers
+once and thus avoid racing. Reported by Kirill A. Shutemov.
+
+Reported-by: <syzbot+f9831b881b3e849829fc@syzkaller.appspotmail.com>
+Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/mon/mon_bin.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/mon/mon_bin.c
++++ b/drivers/usb/mon/mon_bin.c
+@@ -1004,7 +1004,9 @@ static long mon_bin_ioctl(struct file *f
+ 		break;
+ 
+ 	case MON_IOCQ_RING_SIZE:
++		mutex_lock(&rp->fetch_lock);
+ 		ret = rp->b_size;
++		mutex_unlock(&rp->fetch_lock);
+ 		break;
+ 
+ 	case MON_IOCT_RING_SIZE:
+@@ -1231,12 +1233,16 @@ static int mon_bin_vma_fault(struct vm_f
+ 	unsigned long offset, chunk_idx;
+ 	struct page *pageptr;
+ 
++	mutex_lock(&rp->fetch_lock);
+ 	offset = vmf->pgoff << PAGE_SHIFT;
+-	if (offset >= rp->b_size)
++	if (offset >= rp->b_size) {
++		mutex_unlock(&rp->fetch_lock);
+ 		return VM_FAULT_SIGBUS;
++	}
+ 	chunk_idx = offset / CHUNK_SIZE;
+ 	pageptr = rp->b_vec[chunk_idx].pg;
+ 	get_page(pageptr);
++	mutex_unlock(&rp->fetch_lock);
+ 	vmf->page = pageptr;
+ 	return 0;
+ }
diff --git a/queue-4.14/usb-misc-usb3503-make-sure-reset-is-low-for-at-least-100us.patch b/queue-4.14/usb-misc-usb3503-make-sure-reset-is-low-for-at-least-100us.patch
new file mode 100644
index 00000000000..f98b618749c
--- /dev/null
+++ b/queue-4.14/usb-misc-usb3503-make-sure-reset-is-low-for-at-least-100us.patch
@@ -0,0 +1,38 @@
+From b8626f1dc29d3eee444bfaa92146ec7b291ef41c Mon Sep 17 00:00:00 2001
+From: Stefan Agner <stefan@agner.ch>
+Date: Thu, 11 Jan 2018 14:47:40 +0100
+Subject: usb: misc: usb3503: make sure reset is low for at least 100us
+
+From: Stefan Agner <stefan@agner.ch>
+
+commit b8626f1dc29d3eee444bfaa92146ec7b291ef41c upstream.
+
+When using a GPIO which is high by default, and initialize the
+driver in USB Hub mode, initialization fails with:
+  [  111.757794] usb3503 0-0008: SP_ILOCK failed (-5)
+
+The reason seems to be that the chip is not properly reset.
+Probe does initialize reset low, however some lines later the
+code already set it back high, which is not long enouth.
+
+Make sure reset is asserted for at least 100us by inserting a
+delay after initializing the reset pin during probe.
+
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/usb3503.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/misc/usb3503.c
++++ b/drivers/usb/misc/usb3503.c
+@@ -292,6 +292,8 @@ static int usb3503_probe(struct usb3503
+ 	if (gpio_is_valid(hub->gpio_reset)) {
+ 		err = devm_gpio_request_one(dev, hub->gpio_reset,
+ 				GPIOF_OUT_INIT_LOW, "usb3503 reset");
++		/* Datasheet defines a hardware reset to be at least 100us */
++		usleep_range(100, 10000);
+ 		if (err) {
+ 			dev_err(dev,
+ 				"unable to request GPIO %d as reset pin (%d)\n",
diff --git a/queue-4.14/usb-serial-cp210x-add-ids-for-lifescan-onetouch-verio-iq.patch b/queue-4.14/usb-serial-cp210x-add-ids-for-lifescan-onetouch-verio-iq.patch
new file mode 100644
index 00000000000..d4d6b750e71
--- /dev/null
+++ b/queue-4.14/usb-serial-cp210x-add-ids-for-lifescan-onetouch-verio-iq.patch
@@ -0,0 +1,33 @@
+From 4307413256ac1e09b8f53e8715af3df9e49beec3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Diego=20Elio=20Petten=C3=B2?= <flameeyes@flameeyes.eu>
+Date: Fri, 29 Dec 2017 09:54:25 +0000
+Subject: USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Diego Elio Pettenò <flameeyes@flameeyes.eu>
+
+commit 4307413256ac1e09b8f53e8715af3df9e49beec3 upstream.
+
+Add IDs for the OneTouch Verio IQ that comes with an embedded
+USB-to-serial converter.
+
+Signed-off-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -127,6 +127,7 @@ static const struct usb_device_id id_tab
+ 	{ USB_DEVICE(0x10C4, 0x8470) }, /* Juniper Networks BX Series System Console */
+ 	{ USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */
+ 	{ USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */
++	{ USB_DEVICE(0x10C4, 0x85A7) }, /* LifeScan OneTouch Verio IQ */
+ 	{ USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */
+ 	{ USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */
+ 	{ USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
diff --git a/queue-4.14/usb-serial-cp210x-add-new-device-id-elv-alc-8xxx.patch b/queue-4.14/usb-serial-cp210x-add-new-device-id-elv-alc-8xxx.patch
new file mode 100644
index 00000000000..59d2c981610
--- /dev/null
+++ b/queue-4.14/usb-serial-cp210x-add-new-device-id-elv-alc-8xxx.patch
@@ -0,0 +1,30 @@
+From d14ac576d10f865970bb1324d337e5e24d79aaf4 Mon Sep 17 00:00:00 2001
+From: Christian Holl <cyborgx1@gmail.com>
+Date: Wed, 3 Jan 2018 19:53:02 +0100
+Subject: USB: serial: cp210x: add new device ID ELV ALC 8xxx
+
+From: Christian Holl <cyborgx1@gmail.com>
+
+commit d14ac576d10f865970bb1324d337e5e24d79aaf4 upstream.
+
+This adds the ELV ALC 8xxx Battery Charging device
+to the list of USB IDs of drivers/usb/serial/cp210x.c
+
+Signed-off-by: Christian Holl <cyborgx1@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -178,6 +178,7 @@ static const struct usb_device_id id_tab
+ 	{ USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */
+ 	{ USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
+ 	{ USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */
++	{ USB_DEVICE(0x18EF, 0xE030) }, /* ELV ALC 8xxx Battery Charger */
+ 	{ USB_DEVICE(0x18EF, 0xE032) }, /* ELV TFD500 Data Logger */
+ 	{ USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
+ 	{ USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */
diff --git a/queue-4.14/usb-udc-core-fix-double-free-in-usb_add_gadget_udc_release.patch b/queue-4.14/usb-udc-core-fix-double-free-in-usb_add_gadget_udc_release.patch
new file mode 100644
index 00000000000..6a3d997ee94
--- /dev/null
+++ b/queue-4.14/usb-udc-core-fix-double-free-in-usb_add_gadget_udc_release.patch
@@ -0,0 +1,98 @@
+From 7ae2c3c280db183ca9ada2675c34ec2f7378abfa Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 3 Jan 2018 12:51:51 -0500
+Subject: USB: UDC core: fix double-free in usb_add_gadget_udc_release
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 7ae2c3c280db183ca9ada2675c34ec2f7378abfa upstream.
+
+The error-handling pathways in usb_add_gadget_udc_release() are messed
+up.  Aside from the uninformative statement labels, they can deallocate
+the udc structure after calling put_device(), which is a double-free.
+This was observed by KASAN in automatic testing.
+
+This patch cleans up the routine.  It preserves the requirement that
+when any failure occurs, we call put_device(&gadget->dev).
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Fengguang Wu <fengguang.wu@intel.com>
+Reviewed-by: Peter Chen <peter.chen@nxp.com>
+Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/core.c |   28 +++++++++++++---------------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+--- a/drivers/usb/gadget/udc/core.c
++++ b/drivers/usb/gadget/udc/core.c
+@@ -1158,11 +1158,7 @@ int usb_add_gadget_udc_release(struct de
+ 
+ 	udc = kzalloc(sizeof(*udc), GFP_KERNEL);
+ 	if (!udc)
+-		goto err1;
+-
+-	ret = device_add(&gadget->dev);
+-	if (ret)
+-		goto err2;
++		goto err_put_gadget;
+ 
+ 	device_initialize(&udc->dev);
+ 	udc->dev.release = usb_udc_release;
+@@ -1171,7 +1167,11 @@ int usb_add_gadget_udc_release(struct de
+ 	udc->dev.parent = parent;
+ 	ret = dev_set_name(&udc->dev, "%s", kobject_name(&parent->kobj));
+ 	if (ret)
+-		goto err3;
++		goto err_put_udc;
++
++	ret = device_add(&gadget->dev);
++	if (ret)
++		goto err_put_udc;
+ 
+ 	udc->gadget = gadget;
+ 	gadget->udc = udc;
+@@ -1181,7 +1181,7 @@ int usb_add_gadget_udc_release(struct de
+ 
+ 	ret = device_add(&udc->dev);
+ 	if (ret)
+-		goto err4;
++		goto err_unlist_udc;
+ 
+ 	usb_gadget_set_state(gadget, USB_STATE_NOTATTACHED);
+ 	udc->vbus = true;
+@@ -1189,27 +1189,25 @@ int usb_add_gadget_udc_release(struct de
+ 	/* pick up one of pending gadget drivers */
+ 	ret = check_pending_gadget_drivers(udc);
+ 	if (ret)
+-		goto err5;
++		goto err_del_udc;
+ 
+ 	mutex_unlock(&udc_lock);
+ 
+ 	return 0;
+ 
+-err5:
++ err_del_udc:
+ 	device_del(&udc->dev);
+ 
+-err4:
++ err_unlist_udc:
+ 	list_del(&udc->list);
+ 	mutex_unlock(&udc_lock);
+ 
+-err3:
+-	put_device(&udc->dev);
+ 	device_del(&gadget->dev);
+ 
+-err2:
+-	kfree(udc);
++ err_put_udc:
++	put_device(&udc->dev);
+ 
+-err1:
++ err_put_gadget:
+ 	put_device(&gadget->dev);
+ 	return ret;
+ }
diff --git a/queue-4.14/usbip-fix-vudc_rx-harden-cmd_submit-path-to-handle-malicious-input.patch b/queue-4.14/usbip-fix-vudc_rx-harden-cmd_submit-path-to-handle-malicious-input.patch
new file mode 100644
index 00000000000..cddf045ffee
--- /dev/null
+++ b/queue-4.14/usbip-fix-vudc_rx-harden-cmd_submit-path-to-handle-malicious-input.patch
@@ -0,0 +1,49 @@
+From b78d830f0049ef1966dc1e0ebd1ec2a594e2cf25 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <shuahkh@osg.samsung.com>
+Date: Fri, 22 Dec 2017 19:23:46 -0700
+Subject: usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input
+
+From: Shuah Khan <shuahkh@osg.samsung.com>
+
+commit b78d830f0049ef1966dc1e0ebd1ec2a594e2cf25 upstream.
+
+Harden CMD_SUBMIT path to handle malicious input that could trigger
+large memory allocations. Add checks to validate transfer_buffer_length
+and number_of_packets to protect against bad input requesting for
+unbounded memory allocations.
+
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/vudc_rx.c |   19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/drivers/usb/usbip/vudc_rx.c
++++ b/drivers/usb/usbip/vudc_rx.c
+@@ -132,6 +132,25 @@ static int v_recv_cmd_submit(struct vudc
+ 	urb_p->new = 1;
+ 	urb_p->seqnum = pdu->base.seqnum;
+ 
++	if (urb_p->ep->type == USB_ENDPOINT_XFER_ISOC) {
++		/* validate packet size and number of packets */
++		unsigned int maxp, packets, bytes;
++
++		maxp = usb_endpoint_maxp(urb_p->ep->desc);
++		maxp *= usb_endpoint_maxp_mult(urb_p->ep->desc);
++		bytes = pdu->u.cmd_submit.transfer_buffer_length;
++		packets = DIV_ROUND_UP(bytes, maxp);
++
++		if (pdu->u.cmd_submit.number_of_packets < 0 ||
++		    pdu->u.cmd_submit.number_of_packets > packets) {
++			dev_err(&udc->gadget.dev,
++				"CMD_SUBMIT: isoc invalid num packets %d\n",
++				pdu->u.cmd_submit.number_of_packets);
++			ret = -EMSGSIZE;
++			goto free_urbp;
++		}
++	}
++
+ 	ret = alloc_urb_from_cmd(&urb_p->urb, pdu, urb_p->ep->type);
+ 	if (ret) {
+ 		usbip_event_add(&udc->ud, VUDC_EVENT_ERROR_MALLOC);
diff --git a/queue-4.14/usbip-remove-kernel-addresses-from-usb-device-and-urb-debug-msgs.patch b/queue-4.14/usbip-remove-kernel-addresses-from-usb-device-and-urb-debug-msgs.patch
new file mode 100644
index 00000000000..92084a1261d
--- /dev/null
+++ b/queue-4.14/usbip-remove-kernel-addresses-from-usb-device-and-urb-debug-msgs.patch
@@ -0,0 +1,80 @@
+From e1346fd87c71a1f61de1fe476ec8df1425ac931c Mon Sep 17 00:00:00 2001
+From: Shuah Khan <shuahkh@osg.samsung.com>
+Date: Fri, 22 Dec 2017 17:00:06 -0700
+Subject: usbip: remove kernel addresses from usb device and urb debug msgs
+
+From: Shuah Khan <shuahkh@osg.samsung.com>
+
+commit e1346fd87c71a1f61de1fe476ec8df1425ac931c upstream.
+
+usbip_dump_usb_device() and usbip_dump_urb() print kernel addresses.
+Remove kernel addresses from usb device and urb debug msgs and improve
+the message content.
+
+Instead of printing parent device and bus addresses, print parent device
+and bus names.
+
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/usbip_common.c |   17 +++--------------
+ 1 file changed, 3 insertions(+), 14 deletions(-)
+
+--- a/drivers/usb/usbip/usbip_common.c
++++ b/drivers/usb/usbip/usbip_common.c
+@@ -105,7 +105,7 @@ static void usbip_dump_usb_device(struct
+ 	dev_dbg(dev, "       devnum(%d) devpath(%s) usb speed(%s)",
+ 		udev->devnum, udev->devpath, usb_speed_string(udev->speed));
+ 
+-	pr_debug("tt %p, ttport %d\n", udev->tt, udev->ttport);
++	pr_debug("tt hub ttport %d\n", udev->ttport);
+ 
+ 	dev_dbg(dev, "                    ");
+ 	for (i = 0; i < 16; i++)
+@@ -138,12 +138,8 @@ static void usbip_dump_usb_device(struct
+ 	}
+ 	pr_debug("\n");
+ 
+-	dev_dbg(dev, "parent %p, bus %p\n", udev->parent, udev->bus);
+-
+-	dev_dbg(dev,
+-		"descriptor %p, config %p, actconfig %p, rawdescriptors %p\n",
+-		&udev->descriptor, udev->config,
+-		udev->actconfig, udev->rawdescriptors);
++	dev_dbg(dev, "parent %s, bus %s\n", dev_name(&udev->parent->dev),
++		udev->bus->bus_name);
+ 
+ 	dev_dbg(dev, "have_langid %d, string_langid %d\n",
+ 		udev->have_langid, udev->string_langid);
+@@ -251,9 +247,6 @@ void usbip_dump_urb(struct urb *urb)
+ 
+ 	dev = &urb->dev->dev;
+ 
+-	dev_dbg(dev, "   urb                   :%p\n", urb);
+-	dev_dbg(dev, "   dev                   :%p\n", urb->dev);
+-
+ 	usbip_dump_usb_device(urb->dev);
+ 
+ 	dev_dbg(dev, "   pipe                  :%08x ", urb->pipe);
+@@ -262,11 +255,9 @@ void usbip_dump_urb(struct urb *urb)
+ 
+ 	dev_dbg(dev, "   status                :%d\n", urb->status);
+ 	dev_dbg(dev, "   transfer_flags        :%08X\n", urb->transfer_flags);
+-	dev_dbg(dev, "   transfer_buffer       :%p\n", urb->transfer_buffer);
+ 	dev_dbg(dev, "   transfer_buffer_length:%d\n",
+ 						urb->transfer_buffer_length);
+ 	dev_dbg(dev, "   actual_length         :%d\n", urb->actual_length);
+-	dev_dbg(dev, "   setup_packet          :%p\n", urb->setup_packet);
+ 
+ 	if (urb->setup_packet && usb_pipetype(urb->pipe) == PIPE_CONTROL)
+ 		usbip_dump_usb_ctrlrequest(
+@@ -276,8 +267,6 @@ void usbip_dump_urb(struct urb *urb)
+ 	dev_dbg(dev, "   number_of_packets     :%d\n", urb->number_of_packets);
+ 	dev_dbg(dev, "   interval              :%d\n", urb->interval);
+ 	dev_dbg(dev, "   error_count           :%d\n", urb->error_count);
+-	dev_dbg(dev, "   context               :%p\n", urb->context);
+-	dev_dbg(dev, "   complete              :%p\n", urb->complete);
+ }
+ EXPORT_SYMBOL_GPL(usbip_dump_urb);
+ 
diff --git a/queue-4.14/usbip-vudc_tx-fix-v_send_ret_submit-vulnerability-to-null-xfer-buffer.patch b/queue-4.14/usbip-vudc_tx-fix-v_send_ret_submit-vulnerability-to-null-xfer-buffer.patch
new file mode 100644
index 00000000000..618b897b8cd
--- /dev/null
+++ b/queue-4.14/usbip-vudc_tx-fix-v_send_ret_submit-vulnerability-to-null-xfer-buffer.patch
@@ -0,0 +1,50 @@
+From 5fd77a3a0e408c23ab4002a57db980e46bc16e72 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <shuahkh@osg.samsung.com>
+Date: Fri, 22 Dec 2017 19:23:47 -0700
+Subject: usbip: vudc_tx: fix v_send_ret_submit() vulnerability to null xfer buffer
+
+From: Shuah Khan <shuahkh@osg.samsung.com>
+
+commit 5fd77a3a0e408c23ab4002a57db980e46bc16e72 upstream.
+
+v_send_ret_submit() handles urb with a null transfer_buffer, when it
+replays a packet with potential malicious data that could contain a
+null buffer.
+
+Add a check for the condition when actual_length > 0 and transfer_buffer
+is null.
+
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/vudc_tx.c |   11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/usbip/vudc_tx.c
++++ b/drivers/usb/usbip/vudc_tx.c
+@@ -97,6 +97,13 @@ static int v_send_ret_submit(struct vudc
+ 	memset(&pdu_header, 0, sizeof(pdu_header));
+ 	memset(&msg, 0, sizeof(msg));
+ 
++	if (urb->actual_length > 0 && !urb->transfer_buffer) {
++		dev_err(&udc->gadget.dev,
++			"urb: actual_length %d transfer_buffer null\n",
++			urb->actual_length);
++		return -1;
++	}
++
+ 	if (urb_p->type == USB_ENDPOINT_XFER_ISOC)
+ 		iovnum = 2 + urb->number_of_packets;
+ 	else
+@@ -112,8 +119,8 @@ static int v_send_ret_submit(struct vudc
+ 
+ 	/* 1. setup usbip_header */
+ 	setup_ret_submit_pdu(&pdu_header, urb_p);
+-	usbip_dbg_stub_tx("setup txdata seqnum: %d urb: %p\n",
+-			  pdu_header.base.seqnum, urb);
++	usbip_dbg_stub_tx("setup txdata seqnum: %d\n",
++			  pdu_header.base.seqnum);
+ 	usbip_header_correct_endian(&pdu_header, 1);
+ 
+ 	iov[iovnum].iov_base = &pdu_header;
-- 
2.47.3